SlideShare a Scribd company logo

Security Program and PoliciesPrinciples and Practicesby Sari.docx

Download as DOCX, PDF
B
bagotjesusa

Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 7: Physical & Environmental Security 1 Copyright 2014 Pearson Education, Inc. 2 Objectives Define the concept of physical security and how it relates to information security Evaluate the security requirements of facilities, offices, and equipment Understand the environmental risks posed to physical structures, areas within those structures, and equipment Enumerate the vulnerabilities related to reusing and disposing of equipment Recognize the risk posed by the loss or theft of mobile devices and media Develop policies designed to ensure the physical environmental security of information, information systems, and information processing and storage facilities 2 Understanding the Secure Facility Layered Defense Model If an intruder bypasses one layer of controls, the next layer should provide additional defense and detection capabilities Both physical and psychological The appearance of security is deterrent Copyright 2014 Pearson Education, Inc. 3 Copyright 2014 Pearson Education, Inc. 4 How to Secure the Site All implemented controls to physically protect information are dictated first by a thorough analysis of the company’s risks and vulnerabilities, along with the value of the information that requires protection From what are we protecting information assets? Theft Malicious destruction Accidental damage Damage that results from natural disasters 4 How to Secure the Site cont. The design of a secure site starts with the location Location-based threats Political stability Susceptibility to terrorism Crime rate in the area Roadways and flight paths Utility stability Vulnerability to natural disasters Critical information processing facilities should be inconspicuous and unremarkable Copyright 2014 Pearson Education, Inc. 5 Copyright 2014 Pearson Education, Inc. 6 How to Secure the Site Cont. The physical perimeter can be protected using: Berms Fences Gates Bollards Man traps Illuminated entrances, exits, pathways, and parking areas Manned reception desk Cameras, closed-circuit TV, alarms, motion sensors Security guards 6 Copyright 2014 Pearson Education, Inc. 7 How Is Physical Access Controlled? Physical entry controls: Access control rules should be designed for: Employees Third-party contractors/partners/vendors Visitors Visitors should be required to wear identification that can be evaluated from a distance, such as a badge Identification should start as soon as a person attempts to gain entry 7 Copyright 2014 Pearson Education, Inc. 8 How Is Physical Access Controlled? Cont. Physical entry controls: Authorized users should be authorized prior to gaining access to protected area Visitors should be identified, labeled, and authorized prior to gaining access to protected area An audit trail should be created 8 Copyright 2014 Pearson Education, Inc. 9 Securing Offices, Rooms, and Facilities The outer physical .

Education
1 of 18
Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 7: Physical & Environmental Security 1 Copyright 2014 Pearson Education, Inc. 2 Objectives Define the concept of physical security and how it relates to information security Evaluate the security requirements of facilities, offices, and equipment Understand the environmental risks posed to physical structures, areas within those structures, and equipment Enumerate the vulnerabilities related to reusing and disposing of equipment Recognize the risk posed by the loss or theft of mobile devices and media Develop policies designed to ensure the physical environmental security of information, information systems, and information processing and storage facilities
2 Understanding the Secure Facility Layered Defense Model If an intruder bypasses one layer of controls, the next layer should provide additional defense and detection capabilities Both physical and psychological The appearance of security is deterrent Copyright 2014 Pearson Education, Inc. 3 Copyright 2014 Pearson Education, Inc. 4 How to Secure the Site All implemented controls to physically protect information are dictated first by a thorough analysis of the company’s risks and vulnerabilities, along with the value of the information that requires protection From what are we protecting information assets? Theft Malicious destruction Accidental damage Damage that results from natural disasters 4 How to Secure the Site cont. The design of a secure site starts with the location Location-based threats Political stability
Susceptibility to terrorism Crime rate in the area Roadways and flight paths Utility stability Vulnerability to natural disasters Critical information processing facilities should be inconspicuous and unremarkable Copyright 2014 Pearson Education, Inc. 5 Copyright 2014 Pearson Education, Inc. 6 How to Secure the Site Cont. The physical perimeter can be protected using: Berms Fences Gates Bollards Man traps Illuminated entrances, exits, pathways, and parking areas Manned reception desk Cameras, closed-circuit TV, alarms, motion sensors Security guards 6 Copyright 2014 Pearson Education, Inc. 7 How Is Physical Access Controlled? Physical entry controls:
Access control rules should be designed for: Employees Third-party contractors/partners/vendors Visitors Visitors should be required to wear identification that can be evaluated from a distance, such as a badge Identification should start as soon as a person attempts to gain entry 7 Copyright 2014 Pearson Education, Inc. 8 How Is Physical Access Controlled? Cont. Physical entry controls: Authorized users should be authorized prior to gaining access to protected area Visitors should be identified, labeled, and authorized prior to gaining access to protected area An audit trail should be created 8 Copyright 2014 Pearson Education, Inc. 9 Securing Offices, Rooms, and Facilities The outer physical perimeter is not the only focus of the
physical security policy Workspaces should be classified based on the level of protection required Some internal rooms and offices must be protected differently Parts of individual rooms may also require different levels of protection, such as cabinets and closets 9 Copyright 2014 Pearson Education, Inc. 10 Working in Secure Areas Goal: Define behavioral and physical controls for the most sensitive workspaces within information processing facilities Policy controls are in addition to – and not in place of – existing physical controls, unless they supersede them Policy should include devices not allowed on premises, such as cameras, smartphones, tablets, and USB drives Sensitive documents should be secured from viewing by unauthorized personnel while not in use Copiers, scanners, and fax machines should be located in nonpublic areas and require use codes 10 Copyright 2014 Pearson Education, Inc. 11 Protecting Equipment
Both company and employee-owned equipment should be protected Hardware assets must be protected from: Theft Power spikes Power loss One way to reduce power consumption is to purchase Energy Star certified devices 11 Copyright 2014 Pearson Education, Inc. 12 Protecting Equipment Cont. Potential power problems include: Brownout: Period of low voltage Power surge: Increase in voltage Blackout: Interruption or loss of power Power equipment that can be used: Uninterruptible Power Supply Back-up power supplies Power conditioners Voltage regulators Isolation transformers Line filters Surge protection equipment
12 How Dangerous Is Fire? Three elements to fire protection Fire prevention controls Active Passive Fire detection Fire containment and suppression Involves responding to the fire Specific to file classification Class A Class B Class C Class D Copyright 2014 Pearson Education, Inc. 13 Copyright 2014 Pearson Education, Inc. 14 What About Disposal? Formatting a hard drive or deleting files does not mean that the data located on that drive cannot be retrieved All computers that are discarded must be sanitized prior to being disposed of Policy should be crafted to disallow access to information through improper disposal or reuse of equipment Disk wiping Degaussing Destruction
14 Copyright 2014 Pearson Education, Inc. 15 Summary The physical perimeter of the company must be secured. Some internal rooms and offices must be identified as needing more security controls than others. These controls must be deployed. Environment threats such as power loss must be taken into account and the proper hardware must be deployed. A clean screen and desk policy is important to protect the confidentiality of company-owned data. 15 Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 6: Human Resources Security
1 Copyright 2014 Pearson Education, Inc. 2 Objectives Define the relationship between information security and personnel practices Recognize the stages of the employee lifecycle Describe the purpose of confidentiality and acceptable use agreements Understand appropriate security education, training, and awareness programs Create personnel-related security policies and procedures 2 The Employee Lifecycle Represents stages in the employee’s career Lifecycle models can vary but most include the following stages Recruitment Onboarding User provisioning Orientation Career development Termination Copyright 2014 Pearson Education, Inc. 3
Copyright 2014 Pearson Education, Inc. 4 What Does Recruitment Have to Do with Security? Risks and rewards of posting online employment ads: A company can reach a wider audience A company can publish an ad that gives too much information: About the network infrastructure and therefore allow a hacker to footprint the internal network easily and stealthily About the company itself, inviting social engineering attacks 4 Copyright 2014 Pearson Education, Inc. 5 Job Postings Job descriptions are supposed to: Convey the mission of the organization Describe the position in general terms Outline the responsibilities attached to said position Outline the company’s commitment to security via the use of such terms as non-disclosure agreement Job descriptions are NOT supposed to: Include information about specific systems, software versions, security configurations, or access controls It’s harder to hack a network if one doesn’t know what hardware & software If the above information is deemed necessary, two versions of the position can be created. The second, more detailed version should be posted internally and shared with candidates that have
made the “first cut” 5 Candidate Application Data Companies are responsible for protecting the data and privacy of the job seeker Non-public personal information (NPPI) should not be collected if possible Copyright 2014 Pearson Education, Inc. 6 Copyright 2014 Pearson Education, Inc. 7 The Interview Job Interview: The interviewer should be concerned about revealing too much about the company during the interview Job candidates should never gain access to secured areas A job interview is a perfect foot-printing opportunity for hackers and social engineers 7 Copyright 2014 Pearson Education, Inc.
8 Screening Prospective Employees An organization should protect itself by running extensive background checks on potential employees at all levels of the hierarchy Some higher level positions may require even more in-depth checks Many U.S. government jobs require prospective employees have the requisite clearance level 8 Copyright 2014 Pearson Education, Inc. 9 Types of Background Checks The company should have a basic background check level to which all employees are subjected Information owners may require more in-depth checks for specific roles Workers also have a right to privacy: Not all information is fair game to gather – only information relevant to the actual work they perform Companies should seek consent from employees before launching a background check 9 Copyright 2014 Pearson Education, Inc.
10 Types of Background Checks Cont. Educational records fall under FERPA. Schools must first have written authorization before they can provide student-related information Motor vehicle records fall under DPPA, which means that the DMV – or its employees – are not allowed to disclose information obtained by the department The FTC allows the use of credit reports prior to hiring employees as long as companies do so in accordance with the Fair Credit Reporting Act 10 Copyright 2014 Pearson Education, Inc. 11 Types of Background Checks Cont. Bankruptcies may not be used as the SOLE reason to not hire someone according to Title 11 of the U.S. Bankruptcy Code Criminal history: The use of this sort of information varies from state to state Worker’s compensation records: In most states, these records are public records, but their use may not violate the Americans with Disabilities Act 11 What Happens in the Onboarding Phase?
The new hire is added to the organization’s payroll and benefit systems New employees must provide Proof of identity Work authorization Tax identification Two forms that must be completed Form I-9 Form W-4 Copyright 2014 Pearson Education, Inc. 12 What Is User Provisioning? The process of: Creating user accounts and group memberships Providing company identification Assigning access rights and permissions Assigning access devices such as tokens and/or smartcards The user should be provided with and acknowledge the terms and conditions of the Acceptable Use Agreement before being granted access Copyright 2014 Pearson Education, Inc. 13 What Should an Employee Learn During Orientation? His responsibilities Information handling standards and privacy protocols Ask questions Copyright 2014 Pearson Education, Inc. 14
Copyright 2014 Pearson Education, Inc. 15 The Importance of Employee Agreements Confidentiality or non-disclosure agreements Agreement between employees and organization Defines what information may not be disclosed by employees Goal: To protect sensitive information Especially important in these situations: When an employee is terminated or leaves When a third-party contractor was employed 15 The Importance of Employee Agreements cont. Acceptable Use Agreement A policy contract between the company and information systems user Components of an Acceptable Use Agreement Introduction Data classifications Applicable policy statement Handling standards Contacts Sanctions for violations acknowledgment Copyright 2014 Pearson Education, Inc. 16
Copyright 2014 Pearson Education, Inc. 17 The Importance of Security Education and Training Training employees According to NIST: “Federal agencies […] cannot protect […] information […] without ensuring that all people involved […]: Understand their role and responsibilities related to the organization’s mission Understand the organization’s IT security policy, procedures and practices Have at least adequate knowledge of the various management, operational and technical controls required and available to protect the IT resources for which they are responsible” 17 Copyright 2014 Pearson Education, Inc. 18 The Importance of Security Education and Training cont. Hackers adapt: If it is easier to use social engineering – i.e., targeting users – rather than hack a network device, that is the road they will take Only securing network devices and neglecting to train users on information security topics is ignoring half of the threats against the company
18 Copyright 2014 Pearson Education, Inc. 19 What Is the SETA Model? What is SETA? Security Education Training and Awareness Awareness is not training: It is focusing the attention of employees on security topics to change their behavior Security awareness campaigns should be scheduled regularly Security training “seeks to teach skills” (per NIST) Security training should NOT be dispensed only to the technical staff but to all employees 19 Copyright 2014 Pearson Education, Inc. 20 Summary
A security policy that does not include personnel as a permanent threat to the data owned by the company is incomplete. Social engineering is more virulent than ever. Failing to train users on security topics is a bad mistake and may result in a lack of compliance for some federal mandates. All users should sign the Acceptable Use Agreement before receiving access to company’s systems and equipment 20

Recommended

Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Chapter 9: Access Control Management
Chapter 9: Access Control ManagementChapter 9: Access Control Management
Chapter 9: Access Control ManagementNada G.Youssef
 
Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources SecurityNada G.Youssef
 
】=
】=】=
】=Ying Sun
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
IS4799 Final Project (1)
IS4799 Final Project (1)IS4799 Final Project (1)
IS4799 Final Project (1)Mark Milburn
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
 

Recommended

Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Chapter 9: Access Control Management
Chapter 9: Access Control ManagementChapter 9: Access Control Management
Chapter 9: Access Control ManagementNada G.Youssef
 
Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources SecurityNada G.Youssef
 
】=
】=】=
】=Ying Sun
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
IS4799 Final Project (1)
IS4799 Final Project (1)IS4799 Final Project (1)
IS4799 Final Project (1)Mark Milburn
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
 
Chapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxChapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxketurahhazelhurst
 
Chapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxChapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxwalterl4
 
Controls for Information SecurityChapter 88-1.docx
Controls for Information SecurityChapter 88-1.docxControls for Information SecurityChapter 88-1.docx
Controls for Information SecurityChapter 88-1.docxmelvinjrobinson2199
 
Don't Get Stung - Student Data Security
Don't Get Stung - Student Data Security Don't Get Stung - Student Data Security
Don't Get Stung - Student Data Security cschumley
 
Information SecurityPrinciples and Practices, 2nd Edit.docx
Information SecurityPrinciples and Practices, 2nd Edit.docxInformation SecurityPrinciples and Practices, 2nd Edit.docx
Information SecurityPrinciples and Practices, 2nd Edit.docxannettsparrow
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Gain Visibility & Control of IT Assets in a Perimeterless World
Gain Visibility & Control of IT Assets in a Perimeterless WorldGain Visibility & Control of IT Assets in a Perimeterless World
Gain Visibility & Control of IT Assets in a Perimeterless WorldQualys
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
 
Security awareness last update
Security awareness last updateSecurity awareness last update
Security awareness last updateChanna Thorn
 
Security awareness channa-kh
Security awareness channa-khSecurity awareness channa-kh
Security awareness channa-khChanna Thorn
 
Chapter 5: Asset Management
Chapter 5: Asset ManagementChapter 5: Asset Management
Chapter 5: Asset ManagementNada G.Youssef
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security ProgramRaymond Cunningham
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Nada G.Youssef
 
BBA 3551, Information Systems Management 1 Course Lea.docx
BBA 3551, Information Systems Management 1 Course Lea.docx BBA 3551, Information Systems Management 1 Course Lea.docx
BBA 3551, Information Systems Management 1 Course Lea.docxaryan532920
 
web-MINImag
web-MINImagweb-MINImag
web-MINImagAllison Walton
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber securityBrian Matteson, CISSP CISA
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxcomstarndt
 
Assets Protection Course_I_BR_1109
Assets Protection Course_I_BR_1109Assets Protection Course_I_BR_1109
Assets Protection Course_I_BR_1109Shannon Gregg, MBA
 
IT Policy
IT PolicyIT Policy
IT PolicySensewareInfomedia
 
Issues Identify at least seven issues you see in the case1..docx
Issues Identify at least seven issues you see in the case1..docxIssues Identify at least seven issues you see in the case1..docx
Issues Identify at least seven issues you see in the case1..docxbagotjesusa
 
Issues and disagreements between management and employees lead.docx
Issues and disagreements between management and employees lead.docxIssues and disagreements between management and employees lead.docx
Issues and disagreements between management and employees lead.docxbagotjesusa
 

More Related Content

Similar to Security Program and PoliciesPrinciples and Practicesby Sari.docx

Chapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxChapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxketurahhazelhurst
 
Chapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxChapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxwalterl4
 
Controls for Information SecurityChapter 88-1.docx
Controls for Information SecurityChapter 88-1.docxControls for Information SecurityChapter 88-1.docx
Controls for Information SecurityChapter 88-1.docxmelvinjrobinson2199
 
Don't Get Stung - Student Data Security
Don't Get Stung - Student Data Security Don't Get Stung - Student Data Security
Don't Get Stung - Student Data Security cschumley
 
Information SecurityPrinciples and Practices, 2nd Edit.docx
Information SecurityPrinciples and Practices, 2nd Edit.docxInformation SecurityPrinciples and Practices, 2nd Edit.docx
Information SecurityPrinciples and Practices, 2nd Edit.docxannettsparrow
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Gain Visibility & Control of IT Assets in a Perimeterless World
Gain Visibility & Control of IT Assets in a Perimeterless WorldGain Visibility & Control of IT Assets in a Perimeterless World
Gain Visibility & Control of IT Assets in a Perimeterless WorldQualys
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
 
Security awareness last update
Security awareness last updateSecurity awareness last update
Security awareness last updateChanna Thorn
 
Security awareness channa-kh
Security awareness channa-khSecurity awareness channa-kh
Security awareness channa-khChanna Thorn
 
Chapter 5: Asset Management
Chapter 5: Asset ManagementChapter 5: Asset Management
Chapter 5: Asset ManagementNada G.Youssef
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security ProgramRaymond Cunningham
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Nada G.Youssef
 
BBA 3551, Information Systems Management 1 Course Lea.docx
BBA 3551, Information Systems Management 1 Course Lea.docx BBA 3551, Information Systems Management 1 Course Lea.docx
BBA 3551, Information Systems Management 1 Course Lea.docxaryan532920
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxcomstarndt
 
Assets Protection Course_I_BR_1109
Assets Protection Course_I_BR_1109Assets Protection Course_I_BR_1109
Assets Protection Course_I_BR_1109Shannon Gregg, MBA
 

Similar to Security Program and PoliciesPrinciples and Practicesby Sari.docx (20)

Chapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxChapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docx
 
Chapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docxChapter 3 Evaluating RiskTermsRiskHow l.docx
Chapter 3 Evaluating RiskTermsRiskHow l.docx
 
Controls for Information SecurityChapter 88-1.docx
Controls for Information SecurityChapter 88-1.docxControls for Information SecurityChapter 88-1.docx
Controls for Information SecurityChapter 88-1.docx
 
Don't Get Stung - Student Data Security
Don't Get Stung - Student Data Security Don't Get Stung - Student Data Security
Don't Get Stung - Student Data Security
 
Information SecurityPrinciples and Practices, 2nd Edit.docx
Information SecurityPrinciples and Practices, 2nd Edit.docxInformation SecurityPrinciples and Practices, 2nd Edit.docx
Information SecurityPrinciples and Practices, 2nd Edit.docx
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Gain Visibility & Control of IT Assets in a Perimeterless World
Gain Visibility & Control of IT Assets in a Perimeterless WorldGain Visibility & Control of IT Assets in a Perimeterless World
Gain Visibility & Control of IT Assets in a Perimeterless World
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
 
Security awareness last update
Security awareness last updateSecurity awareness last update
Security awareness last update
 
Security awareness channa-kh
Security awareness channa-khSecurity awareness channa-kh
Security awareness channa-kh
 
Chapter 5: Asset Management
Chapter 5: Asset ManagementChapter 5: Asset Management
Chapter 5: Asset Management
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security Program
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security
 
BBA 3551, Information Systems Management 1 Course Lea.docx
BBA 3551, Information Systems Management 1 Course Lea.docx BBA 3551, Information Systems Management 1 Course Lea.docx
BBA 3551, Information Systems Management 1 Course Lea.docx
 
web-MINImag
web-MINImagweb-MINImag
web-MINImag
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptx
 
Assets Protection Course_I_BR_1109
Assets Protection Course_I_BR_1109Assets Protection Course_I_BR_1109
Assets Protection Course_I_BR_1109
 
IT Policy
IT PolicyIT Policy
IT Policy
 

More from bagotjesusa

Issues Identify at least seven issues you see in the case1..docx
Issues Identify at least seven issues you see in the case1..docxIssues Identify at least seven issues you see in the case1..docx
Issues Identify at least seven issues you see in the case1..docxbagotjesusa
 
Issues and disagreements between management and employees lead.docx
Issues and disagreements between management and employees lead.docxIssues and disagreements between management and employees lead.docx
Issues and disagreements between management and employees lead.docxbagotjesusa
 
ISSN1369 7021 © Elsevier Ltd 2010DECEMBER 2010 VOLUME 13 .docx
ISSN1369 7021 © Elsevier Ltd 2010DECEMBER 2010 VOLUME 13 .docxISSN1369 7021 © Elsevier Ltd 2010DECEMBER 2010 VOLUME 13 .docx
ISSN1369 7021 © Elsevier Ltd 2010DECEMBER 2010 VOLUME 13 .docxbagotjesusa
 
ISSA Journal September 2008Article Title Article Author.docx
ISSA Journal September 2008Article Title Article Author.docxISSA Journal September 2008Article Title Article Author.docx
ISSA Journal September 2008Article Title Article Author.docxbagotjesusa
 
ISOL 536Security Architecture and DesignThreat Modeling.docx
ISOL 536Security Architecture and DesignThreat Modeling.docxISOL 536Security Architecture and DesignThreat Modeling.docx
ISOL 536Security Architecture and DesignThreat Modeling.docxbagotjesusa
 
ISOL 533 Project Part 1OverviewWrite paper in sections.docx
ISOL 533 Project Part 1OverviewWrite paper in sections.docxISOL 533 Project Part 1OverviewWrite paper in sections.docx
ISOL 533 Project Part 1OverviewWrite paper in sections.docxbagotjesusa
 
Is the United States of America a democracyDetailed Outline.docx
Is the United States of America a democracyDetailed Outline.docxIs the United States of America a democracyDetailed Outline.docx
Is the United States of America a democracyDetailed Outline.docxbagotjesusa
 
Islamic Profession of Faith (There is no God but God and Muhammad is.docx
Islamic Profession of Faith (There is no God but God and Muhammad is.docxIslamic Profession of Faith (There is no God but God and Muhammad is.docx
Islamic Profession of Faith (There is no God but God and Muhammad is.docxbagotjesusa
 
IS-365 Writing Rubric Last updated January 15, 2018 .docx
IS-365 Writing Rubric Last updated January 15, 2018 .docxIS-365 Writing Rubric Last updated January 15, 2018 .docx
IS-365 Writing Rubric Last updated January 15, 2018 .docxbagotjesusa
 
ISAS 600 – Database Project Phase III RubricAs the final ste.docx
ISAS 600 – Database Project Phase III RubricAs the final ste.docxISAS 600 – Database Project Phase III RubricAs the final ste.docx
ISAS 600 – Database Project Phase III RubricAs the final ste.docxbagotjesusa
 
Is teenage pregnancy a social problem How does this topic reflect.docx
Is teenage pregnancy a social problem How does this topic reflect.docxIs teenage pregnancy a social problem How does this topic reflect.docx
Is teenage pregnancy a social problem How does this topic reflect.docxbagotjesusa
 
Is Texas so conservative- (at least for the time being)- as many pun.docx
Is Texas so conservative- (at least for the time being)- as many pun.docxIs Texas so conservative- (at least for the time being)- as many pun.docx
Is Texas so conservative- (at least for the time being)- as many pun.docxbagotjesusa
 
Irreplaceable Personal Objects and Cultural IdentityThink of .docx
Irreplaceable Personal Objects and Cultural IdentityThink of .docxIrreplaceable Personal Objects and Cultural IdentityThink of .docx
Irreplaceable Personal Objects and Cultural IdentityThink of .docxbagotjesusa
 
IRB is an important step in research. State the required components .docx
IRB is an important step in research. State the required components .docxIRB is an important step in research. State the required components .docx
IRB is an important step in research. State the required components .docxbagotjesusa
 
irem.orgjpm jpm® 47AND REWARDRISK .docx
irem.orgjpm jpm® 47AND REWARDRISK .docxirem.orgjpm jpm® 47AND REWARDRISK .docx
irem.orgjpm jpm® 47AND REWARDRISK .docxbagotjesusa
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxbagotjesusa
 
In two paragraphs, respond to the prompt below. Journal entries .docx
In two paragraphs, respond to the prompt below. Journal entries .docxIn two paragraphs, respond to the prompt below. Journal entries .docx
In two paragraphs, respond to the prompt below. Journal entries .docxbagotjesusa
 
Investigative Statement AnalysisInitial statement given by Ted K.docx
Investigative Statement AnalysisInitial statement given by Ted K.docxInvestigative Statement AnalysisInitial statement given by Ted K.docx
Investigative Statement AnalysisInitial statement given by Ted K.docxbagotjesusa
 
Investigating Happiness at College SNAPSHOT T.docx
Investigating Happiness at College SNAPSHOT T.docxInvestigating Happiness at College SNAPSHOT T.docx
Investigating Happiness at College SNAPSHOT T.docxbagotjesusa
 
Investigate Development Case Death with Dignity Physician-Assiste.docx
Investigate Development Case Death with Dignity Physician-Assiste.docxInvestigate Development Case Death with Dignity Physician-Assiste.docx
Investigate Development Case Death with Dignity Physician-Assiste.docxbagotjesusa
 

More from bagotjesusa (20)

Issues Identify at least seven issues you see in the case1..docx
Issues Identify at least seven issues you see in the case1..docxIssues Identify at least seven issues you see in the case1..docx
Issues Identify at least seven issues you see in the case1..docx
 
Issues and disagreements between management and employees lead.docx
Issues and disagreements between management and employees lead.docxIssues and disagreements between management and employees lead.docx
Issues and disagreements between management and employees lead.docx
 
ISSN1369 7021 © Elsevier Ltd 2010DECEMBER 2010 VOLUME 13 .docx
ISSN1369 7021 © Elsevier Ltd 2010DECEMBER 2010 VOLUME 13 .docxISSN1369 7021 © Elsevier Ltd 2010DECEMBER 2010 VOLUME 13 .docx
ISSN1369 7021 © Elsevier Ltd 2010DECEMBER 2010 VOLUME 13 .docx
 
ISSA Journal September 2008Article Title Article Author.docx
ISSA Journal September 2008Article Title Article Author.docxISSA Journal September 2008Article Title Article Author.docx
ISSA Journal September 2008Article Title Article Author.docx
 
ISOL 536Security Architecture and DesignThreat Modeling.docx
ISOL 536Security Architecture and DesignThreat Modeling.docxISOL 536Security Architecture and DesignThreat Modeling.docx
ISOL 536Security Architecture and DesignThreat Modeling.docx
 
ISOL 533 Project Part 1OverviewWrite paper in sections.docx
ISOL 533 Project Part 1OverviewWrite paper in sections.docxISOL 533 Project Part 1OverviewWrite paper in sections.docx
ISOL 533 Project Part 1OverviewWrite paper in sections.docx
 
Is the United States of America a democracyDetailed Outline.docx
Is the United States of America a democracyDetailed Outline.docxIs the United States of America a democracyDetailed Outline.docx
Is the United States of America a democracyDetailed Outline.docx
 
Islamic Profession of Faith (There is no God but God and Muhammad is.docx
Islamic Profession of Faith (There is no God but God and Muhammad is.docxIslamic Profession of Faith (There is no God but God and Muhammad is.docx
Islamic Profession of Faith (There is no God but God and Muhammad is.docx
 
IS-365 Writing Rubric Last updated January 15, 2018 .docx
IS-365 Writing Rubric Last updated January 15, 2018 .docxIS-365 Writing Rubric Last updated January 15, 2018 .docx
IS-365 Writing Rubric Last updated January 15, 2018 .docx
 
ISAS 600 – Database Project Phase III RubricAs the final ste.docx
ISAS 600 – Database Project Phase III RubricAs the final ste.docxISAS 600 – Database Project Phase III RubricAs the final ste.docx
ISAS 600 – Database Project Phase III RubricAs the final ste.docx
 
Is teenage pregnancy a social problem How does this topic reflect.docx
Is teenage pregnancy a social problem How does this topic reflect.docxIs teenage pregnancy a social problem How does this topic reflect.docx
Is teenage pregnancy a social problem How does this topic reflect.docx
 
Is Texas so conservative- (at least for the time being)- as many pun.docx
Is Texas so conservative- (at least for the time being)- as many pun.docxIs Texas so conservative- (at least for the time being)- as many pun.docx
Is Texas so conservative- (at least for the time being)- as many pun.docx
 
Irreplaceable Personal Objects and Cultural IdentityThink of .docx
Irreplaceable Personal Objects and Cultural IdentityThink of .docxIrreplaceable Personal Objects and Cultural IdentityThink of .docx
Irreplaceable Personal Objects and Cultural IdentityThink of .docx
 
IRB is an important step in research. State the required components .docx
IRB is an important step in research. State the required components .docxIRB is an important step in research. State the required components .docx
IRB is an important step in research. State the required components .docx
 
irem.orgjpm jpm® 47AND REWARDRISK .docx
irem.orgjpm jpm® 47AND REWARDRISK .docxirem.orgjpm jpm® 47AND REWARDRISK .docx
irem.orgjpm jpm® 47AND REWARDRISK .docx
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
 
In two paragraphs, respond to the prompt below. Journal entries .docx
In two paragraphs, respond to the prompt below. Journal entries .docxIn two paragraphs, respond to the prompt below. Journal entries .docx
In two paragraphs, respond to the prompt below. Journal entries .docx
 
Investigative Statement AnalysisInitial statement given by Ted K.docx
Investigative Statement AnalysisInitial statement given by Ted K.docxInvestigative Statement AnalysisInitial statement given by Ted K.docx
Investigative Statement AnalysisInitial statement given by Ted K.docx
 
Investigating Happiness at College SNAPSHOT T.docx
Investigating Happiness at College SNAPSHOT T.docxInvestigating Happiness at College SNAPSHOT T.docx
Investigating Happiness at College SNAPSHOT T.docx
 
Investigate Development Case Death with Dignity Physician-Assiste.docx
Investigate Development Case Death with Dignity Physician-Assiste.docxInvestigate Development Case Death with Dignity Physician-Assiste.docx
Investigate Development Case Death with Dignity Physician-Assiste.docx
 

Recently uploaded

Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxDr. Ravikiran H M Gowda
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17Celine George
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsSandeep D Chaudhary
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxPooja Bhuva
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 

Recently uploaded (20)

Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 

Security Program and PoliciesPrinciples and Practicesby Sari.docx

  • 1. Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 7: Physical & Environmental Security 1 Copyright 2014 Pearson Education, Inc. 2 Objectives Define the concept of physical security and how it relates to information security Evaluate the security requirements of facilities, offices, and equipment Understand the environmental risks posed to physical structures, areas within those structures, and equipment Enumerate the vulnerabilities related to reusing and disposing of equipment Recognize the risk posed by the loss or theft of mobile devices and media Develop policies designed to ensure the physical environmental security of information, information systems, and information processing and storage facilities
  • 2. 2 Understanding the Secure Facility Layered Defense Model If an intruder bypasses one layer of controls, the next layer should provide additional defense and detection capabilities Both physical and psychological The appearance of security is deterrent Copyright 2014 Pearson Education, Inc. 3 Copyright 2014 Pearson Education, Inc. 4 How to Secure the Site All implemented controls to physically protect information are dictated first by a thorough analysis of the company’s risks and vulnerabilities, along with the value of the information that requires protection From what are we protecting information assets? Theft Malicious destruction Accidental damage Damage that results from natural disasters 4 How to Secure the Site cont. The design of a secure site starts with the location Location-based threats Political stability
  • 3. Susceptibility to terrorism Crime rate in the area Roadways and flight paths Utility stability Vulnerability to natural disasters Critical information processing facilities should be inconspicuous and unremarkable Copyright 2014 Pearson Education, Inc. 5 Copyright 2014 Pearson Education, Inc. 6 How to Secure the Site Cont. The physical perimeter can be protected using: Berms Fences Gates Bollards Man traps Illuminated entrances, exits, pathways, and parking areas Manned reception desk Cameras, closed-circuit TV, alarms, motion sensors Security guards 6 Copyright 2014 Pearson Education, Inc. 7 How Is Physical Access Controlled? Physical entry controls:
  • 4. Access control rules should be designed for: Employees Third-party contractors/partners/vendors Visitors Visitors should be required to wear identification that can be evaluated from a distance, such as a badge Identification should start as soon as a person attempts to gain entry 7 Copyright 2014 Pearson Education, Inc. 8 How Is Physical Access Controlled? Cont. Physical entry controls: Authorized users should be authorized prior to gaining access to protected area Visitors should be identified, labeled, and authorized prior to gaining access to protected area An audit trail should be created 8 Copyright 2014 Pearson Education, Inc. 9 Securing Offices, Rooms, and Facilities The outer physical perimeter is not the only focus of the
  • 5. physical security policy Workspaces should be classified based on the level of protection required Some internal rooms and offices must be protected differently Parts of individual rooms may also require different levels of protection, such as cabinets and closets 9 Copyright 2014 Pearson Education, Inc. 10 Working in Secure Areas Goal: Define behavioral and physical controls for the most sensitive workspaces within information processing facilities Policy controls are in addition to – and not in place of – existing physical controls, unless they supersede them Policy should include devices not allowed on premises, such as cameras, smartphones, tablets, and USB drives Sensitive documents should be secured from viewing by unauthorized personnel while not in use Copiers, scanners, and fax machines should be located in nonpublic areas and require use codes 10 Copyright 2014 Pearson Education, Inc. 11 Protecting Equipment
  • 6. Both company and employee-owned equipment should be protected Hardware assets must be protected from: Theft Power spikes Power loss One way to reduce power consumption is to purchase Energy Star certified devices 11 Copyright 2014 Pearson Education, Inc. 12 Protecting Equipment Cont. Potential power problems include: Brownout: Period of low voltage Power surge: Increase in voltage Blackout: Interruption or loss of power Power equipment that can be used: Uninterruptible Power Supply Back-up power supplies Power conditioners Voltage regulators Isolation transformers Line filters Surge protection equipment
  • 7. 12 How Dangerous Is Fire? Three elements to fire protection Fire prevention controls Active Passive Fire detection Fire containment and suppression Involves responding to the fire Specific to file classification Class A Class B Class C Class D Copyright 2014 Pearson Education, Inc. 13 Copyright 2014 Pearson Education, Inc. 14 What About Disposal? Formatting a hard drive or deleting files does not mean that the data located on that drive cannot be retrieved All computers that are discarded must be sanitized prior to being disposed of Policy should be crafted to disallow access to information through improper disposal or reuse of equipment Disk wiping Degaussing Destruction
  • 8. 14 Copyright 2014 Pearson Education, Inc. 15 Summary The physical perimeter of the company must be secured. Some internal rooms and offices must be identified as needing more security controls than others. These controls must be deployed. Environment threats such as power loss must be taken into account and the proper hardware must be deployed. A clean screen and desk policy is important to protect the confidentiality of company-owned data. 15 Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 6: Human Resources Security
  • 9. 1 Copyright 2014 Pearson Education, Inc. 2 Objectives Define the relationship between information security and personnel practices Recognize the stages of the employee lifecycle Describe the purpose of confidentiality and acceptable use agreements Understand appropriate security education, training, and awareness programs Create personnel-related security policies and procedures 2 The Employee Lifecycle Represents stages in the employee’s career Lifecycle models can vary but most include the following stages Recruitment Onboarding User provisioning Orientation Career development Termination Copyright 2014 Pearson Education, Inc. 3
  • 10. Copyright 2014 Pearson Education, Inc. 4 What Does Recruitment Have to Do with Security? Risks and rewards of posting online employment ads: A company can reach a wider audience A company can publish an ad that gives too much information: About the network infrastructure and therefore allow a hacker to footprint the internal network easily and stealthily About the company itself, inviting social engineering attacks 4 Copyright 2014 Pearson Education, Inc. 5 Job Postings Job descriptions are supposed to: Convey the mission of the organization Describe the position in general terms Outline the responsibilities attached to said position Outline the company’s commitment to security via the use of such terms as non-disclosure agreement Job descriptions are NOT supposed to: Include information about specific systems, software versions, security configurations, or access controls It’s harder to hack a network if one doesn’t know what hardware & software If the above information is deemed necessary, two versions of the position can be created. The second, more detailed version should be posted internally and shared with candidates that have
  • 11. made the “first cut” 5 Candidate Application Data Companies are responsible for protecting the data and privacy of the job seeker Non-public personal information (NPPI) should not be collected if possible Copyright 2014 Pearson Education, Inc. 6 Copyright 2014 Pearson Education, Inc. 7 The Interview Job Interview: The interviewer should be concerned about revealing too much about the company during the interview Job candidates should never gain access to secured areas A job interview is a perfect foot-printing opportunity for hackers and social engineers 7 Copyright 2014 Pearson Education, Inc.
  • 12. 8 Screening Prospective Employees An organization should protect itself by running extensive background checks on potential employees at all levels of the hierarchy Some higher level positions may require even more in-depth checks Many U.S. government jobs require prospective employees have the requisite clearance level 8 Copyright 2014 Pearson Education, Inc. 9 Types of Background Checks The company should have a basic background check level to which all employees are subjected Information owners may require more in-depth checks for specific roles Workers also have a right to privacy: Not all information is fair game to gather – only information relevant to the actual work they perform Companies should seek consent from employees before launching a background check 9 Copyright 2014 Pearson Education, Inc.
  • 13. 10 Types of Background Checks Cont. Educational records fall under FERPA. Schools must first have written authorization before they can provide student-related information Motor vehicle records fall under DPPA, which means that the DMV – or its employees – are not allowed to disclose information obtained by the department The FTC allows the use of credit reports prior to hiring employees as long as companies do so in accordance with the Fair Credit Reporting Act 10 Copyright 2014 Pearson Education, Inc. 11 Types of Background Checks Cont. Bankruptcies may not be used as the SOLE reason to not hire someone according to Title 11 of the U.S. Bankruptcy Code Criminal history: The use of this sort of information varies from state to state Worker’s compensation records: In most states, these records are public records, but their use may not violate the Americans with Disabilities Act 11 What Happens in the Onboarding Phase?
  • 14. The new hire is added to the organization’s payroll and benefit systems New employees must provide Proof of identity Work authorization Tax identification Two forms that must be completed Form I-9 Form W-4 Copyright 2014 Pearson Education, Inc. 12 What Is User Provisioning? The process of: Creating user accounts and group memberships Providing company identification Assigning access rights and permissions Assigning access devices such as tokens and/or smartcards The user should be provided with and acknowledge the terms and conditions of the Acceptable Use Agreement before being granted access Copyright 2014 Pearson Education, Inc. 13 What Should an Employee Learn During Orientation? His responsibilities Information handling standards and privacy protocols Ask questions Copyright 2014 Pearson Education, Inc. 14
  • 15. Copyright 2014 Pearson Education, Inc. 15 The Importance of Employee Agreements Confidentiality or non-disclosure agreements Agreement between employees and organization Defines what information may not be disclosed by employees Goal: To protect sensitive information Especially important in these situations: When an employee is terminated or leaves When a third-party contractor was employed 15 The Importance of Employee Agreements cont. Acceptable Use Agreement A policy contract between the company and information systems user Components of an Acceptable Use Agreement Introduction Data classifications Applicable policy statement Handling standards Contacts Sanctions for violations acknowledgment Copyright 2014 Pearson Education, Inc. 16
  • 16. Copyright 2014 Pearson Education, Inc. 17 The Importance of Security Education and Training Training employees According to NIST: “Federal agencies […] cannot protect […] information […] without ensuring that all people involved […]: Understand their role and responsibilities related to the organization’s mission Understand the organization’s IT security policy, procedures and practices Have at least adequate knowledge of the various management, operational and technical controls required and available to protect the IT resources for which they are responsible” 17 Copyright 2014 Pearson Education, Inc. 18 The Importance of Security Education and Training cont. Hackers adapt: If it is easier to use social engineering – i.e., targeting users – rather than hack a network device, that is the road they will take Only securing network devices and neglecting to train users on information security topics is ignoring half of the threats against the company
  • 17. 18 Copyright 2014 Pearson Education, Inc. 19 What Is the SETA Model? What is SETA? Security Education Training and Awareness Awareness is not training: It is focusing the attention of employees on security topics to change their behavior Security awareness campaigns should be scheduled regularly Security training “seeks to teach skills” (per NIST) Security training should NOT be dispensed only to the technical staff but to all employees 19 Copyright 2014 Pearson Education, Inc. 20 Summary
  • 18. A security policy that does not include personnel as a permanent threat to the data owned by the company is incomplete. Social engineering is more virulent than ever. Failing to train users on security topics is a bad mistake and may result in a lack of compliance for some federal mandates. All users should sign the Acceptable Use Agreement before receiving access to company’s systems and equipment 20